[go: up one dir, main page]

CN118694608B - PORTAL authentication method, device and storage medium applied to FTTR gateway - Google Patents

PORTAL authentication method, device and storage medium applied to FTTR gateway Download PDF

Info

Publication number
CN118694608B
CN118694608B CN202411163208.5A CN202411163208A CN118694608B CN 118694608 B CN118694608 B CN 118694608B CN 202411163208 A CN202411163208 A CN 202411163208A CN 118694608 B CN118694608 B CN 118694608B
Authority
CN
China
Prior art keywords
authentication
gateway
mac address
terminal device
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411163208.5A
Other languages
Chinese (zh)
Other versions
CN118694608A (en
Inventor
陈文锦
符诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Tianyi Comheart Telecom Co Ltd
Original Assignee
Sichuan Tianyi Comheart Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Tianyi Comheart Telecom Co Ltd filed Critical Sichuan Tianyi Comheart Telecom Co Ltd
Priority to CN202411163208.5A priority Critical patent/CN118694608B/en
Publication of CN118694608A publication Critical patent/CN118694608A/en
Application granted granted Critical
Publication of CN118694608B publication Critical patent/CN118694608B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种应用于FTTR网关的PORTAL认证方法、装置及存储介质,通过接收来自终端设备的访问请求;根据访问请求中的源IP地址,获取终端设备的MAC地址;从预设的第一对应关系中匹配对应的访问权限,第一对应关系包括MAC地址与访问权限的对应关系;根据访问权限,从预设的第二对应关系中匹配对应的认证方式,第二对应关系包括访问权限与认证方式的对应关系;以认证方式向终端设备发送认证请求;响应于终端设备的认证反馈,向终端设备开放对应于MAC地址的访问权限。建立差异化的访问权限管理机制,能够自动化地对不同的终端设备开放不同的网络使用资源,通过预设不同访问权限的验证方式,进一步提高访问权限差异化管理的智能化程度。

The present application discloses a PORTAL authentication method, device and storage medium applied to FTTR gateway, which receives an access request from a terminal device; obtains the MAC address of the terminal device according to the source IP address in the access request; matches the corresponding access rights from a preset first correspondence, the first correspondence includes the correspondence between the MAC address and the access rights; matches the corresponding authentication method from a preset second correspondence according to the access rights, the second correspondence includes the correspondence between the access rights and the authentication method; sends an authentication request to the terminal device in an authentication manner; and opens the access rights corresponding to the MAC address to the terminal device in response to the authentication feedback of the terminal device. A differentiated access rights management mechanism is established, which can automatically open different network usage resources to different terminal devices, and further improve the intelligence of differentiated access rights management by presetting verification methods for different access rights.

Description

Portal authentication method and device applied to FTTR gateway and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a PORTAL authentication method, device and storage medium applied to FTTR gateways.
Background
The optical fiber to room (Fiber to the Room, FTTR for short) is a novel optical fiber broadband access technology, optical fiber signals can be transmitted into a user room, a networking mode is that a plurality of sub-gateways are connected under one main gateway, the quality Wi-Fi coverage of a whole house is realized, and the experience perception of a user to a gigabit optical network is further improved. By the end of 9 months of 2023, FTTR users have exceeded 800 perpetual users.
FTTR in many application scenarios, authentication is generally required for a user, and after the authentication is passed, network resources are opened to the user. In the existing FTTR gateway authentication scheme, a plurality of pairs of users adopt a unified authentication rule, the same network resource authority is opened after authentication is passed, management is rough, and the authority management and access control modes are single, so that network resource waste is caused.
Disclosure of Invention
The application mainly aims to provide a PORTAL authentication method, a PORTAL authentication device and a storage medium applied to FTTR gateways, and aims to solve the problems of rough user authentication management, single authority management and access control modes, network resource waste and the like.
In order to achieve the above object, in a first aspect, the present application provides a PORTAL authentication method applied to a FTTR gateway, which includes receiving an access request from a terminal device, where the access request includes a source IP address of the terminal device, obtaining an MAC address of the terminal device according to the source IP address, matching a corresponding access right from a preset first correspondence according to the MAC address, where the first correspondence includes a correspondence between the MAC address and the access right, matching a corresponding authentication mode from a preset second correspondence according to the access right, where the second correspondence includes a correspondence between the access right and the authentication mode, sending an authentication request to the terminal device in the authentication mode, so that the terminal device generates authentication feedback based on the authentication request, and opening the access right corresponding to the MAC address to the terminal device in response to the authentication feedback of the terminal device.
Optionally, matching the corresponding access rights from the preset first corresponding relation according to the MAC address, and determining whether the MAC address is recorded in the first corresponding relation, if so, taking the MAC address as the MAC address corresponding to the access request, if not, searching the direct-connected equipment of the terminal equipment from the network topological graph, and taking the MAC address of the direct-connected equipment as the MAC address corresponding to the access request.
Optionally, the access rights include at least one of DNS usage rights, traffic access rights, internet surfing behavior rights, and internet surfing time rights.
Optionally, the mode of authentication mode includes a verification code verification mode or a password verification mode.
Optionally, receiving an access request from the terminal device includes receiving an access request forwarded by the sub-gateway, assigning a management IP address to the sub-gateway, establishing an interaction channel with the sub-gateway through the management IP address, receiving a port configuration request from the sub-gateway, and sending configuration feedback to the sub-gateway in response to the port configuration request, so that the sub-gateway adds the target port to the port service bridge according to the configuration feedback, and removes the non-target port from the port service bridge.
The application provides a PORTAL authentication device applied to a FTTR gateway, which comprises a receiving module, a first matching module, a second matching module and a sending module, wherein the receiving module is used for receiving an access request from a terminal device, the access request comprises an MAC address of the terminal device, the first matching module is used for matching corresponding access authorities from a preset first corresponding relation according to the MAC address, the first corresponding relation comprises a corresponding relation between the MAC address and the access authorities, the second matching module is used for matching corresponding authentication modes from a preset second corresponding relation according to the access authorities, the second corresponding relation comprises a corresponding relation between the access authorities and the authentication modes, the sending module is used for sending an authentication request to the terminal device in an authentication mode so as to enable the terminal device to generate authentication feedback based on the authentication request, and the authority opening module is used for responding to the authentication feedback of the terminal device and opening the access authorities corresponding to the MAC address to the terminal device.
Optionally, the PORTAL authentication device further includes a determining module, where the determining module is configured to determine whether the MAC address is recorded in the first correspondence, if so, use the MAC address as the MAC address corresponding to the access request, if not, search the direct-connected device of the terminal device from the network topology map, and use the MAC address of the direct-connected device as the MAC address corresponding to the access request.
Optionally, the access rights include at least one of DNS usage rights, traffic access rights, internet surfing behavior rights, and internet surfing time rights.
Optionally, the mode of authentication mode includes a verification code verification mode or a password verification mode.
Optionally, the receiving module may be configured to receive the access request forwarded by the sub-gateway, allocate a management IP address to the sub-gateway, establish an interaction channel with the sub-gateway through the management IP address, receive a port configuration request from the sub-gateway, and send configuration feedback to the sub-gateway in response to the port configuration request, so that the sub-gateway adds the target port to the port service bridge according to the configuration feedback, and removes the non-target port from the port service bridge.
In a third aspect, the present application provides an electronic device comprising a memory, a processor, a memory for storing program instructions, and a processor for invoking the program instructions to perform the PORTAL authentication method as provided in any one of the first aspects above.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor, are adapted to carry out a PORTAL authentication method as provided in any one of the above first aspects.
In a fifth aspect, the present application provides a computer program product comprising a computer program which, when executed, implements a PORTAL authentication method as in any one of the first aspects above.
The access control method has the beneficial effects that a differentiated terminal equipment access authority management mechanism is established through presetting the corresponding relation among the MAC address, the access authority and the authentication modes, multiple authentication modes are provided for the user, more choices are provided for the user, the group division is performed on the access users through different authentication modes and verification passwords, the authority division, the behavior management and the like are convenient, and meanwhile, the security level of the access equipment is improved.
The PORTAL authentication method, device and storage medium applied to the FTTR gateway are provided in the embodiment of the application, through receiving an access request from a terminal device, the access request comprises a source IP address of the terminal device, acquiring an MAC address of the terminal device according to the source IP address, matching corresponding access authorities from a preset first corresponding relation according to the MAC address, wherein the first corresponding relation comprises a corresponding relation between the MAC address and the access authorities, matching corresponding authentication modes from a preset second corresponding relation according to the access authorities, wherein the second corresponding relation comprises a corresponding relation between the access authorities and the authentication modes, sending an authentication request to the terminal device in the authentication modes so that the terminal device generates authentication feedback based on the authentication request, responding to the authentication feedback of the terminal device, and opening the access authorities corresponding to the MAC address to the terminal device. According to the MAC address, a differentiated access authority management mechanism is established, different network use resources can be automatically opened for different terminal devices, the intelligent degree of the access authority differentiated management is further improved through presetting verification modes of different access authorities, the utilization rate of network resources is effectively improved, and the network security level is improved.
Drawings
FIG. 1 is a schematic view of an application scenario provided by the implementation of the present application;
Fig. 2 is a flowchart of a port authentication method applied to FTTR gateways according to an embodiment of the present application;
fig. 3 is a schematic diagram of a first correspondence and a second correspondence provided in an embodiment of the present application;
Fig. 4 is an interaction schematic diagram of a main gateway and a sub-gateway of a PORTAL authentication method applied to FTTR gateways according to an embodiment of the present application;
fig. 5 is a second flowchart of a PORTAL authentication method applied to FTTR gateways according to an embodiment of the present application;
Fig. 6 is a schematic flow chart of a port authentication device applied to FTTR gateways according to an embodiment of the present application;
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Reference numerals:
101-FTTR gateway, 102-terminal equipment, 103-network center, 301-first corresponding relation, 302-second corresponding relation, 600-PORTAL authentication device, 601-receiving module, 602-obtaining module, 603-first matching module, 604-second matching module, 605-sending module, 606-permission opening module, 700-electronic equipment, 701-processor, 702-memory, 703-communication interface, 704-system bus.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The main solution of the embodiment of the application is that different rights are opened for different terminals by setting a differential verification rule, the terminals are divided/grouped by using MAC addresses, the MAC addresses of different groups correspond to different access rights, and different authentication methods are adopted for different access rights, so that differential rights management of terminal equipment is realized.
FTTR is accessed to a large number of users, the prior art gives authority of the same person for successful authentication, does not distinguish, the authentication mode is single, the mobile phone generally obtains the verification code mode, the same network resource use authority can be obtained after verification, a plurality of authentication modes are not supported on the same equipment, the authority management mode is rough, the network resource cannot be utilized more efficiently, the network resource loss is caused, and the network security is weakened.
The application provides a solution, which utilizes specific authentication rules to distinguish different terminal users, so that network resources can be differentially opened to different terminal users as required, differential authority management of terminal equipment is realized, and the utilization rate of the network resources and the security level of network access are improved.
Fig. 1 is a schematic diagram of an application scenario provided by the implementation of the present application. As shown in fig. 1, the application scenario includes FTTR a gateway 101, a terminal device 102, and a hub 103.
FTTR gateway 101 is a network access device capable of transmitting fiber optic signals into a user's room, corresponding to the port of terminal device 102 accessing hub 103. The FTTR gateway 101 can provide more stable and rapid network service, can reduce network faults and maintenance cost, and is widely applied to places such as hotels.
In this embodiment, FTTR gateway 101 may include a main gateway and a plurality of sub-gateways, and terminal device 102 may access hub 103 by switching to the main gateway through the sub-gateways, and in other embodiments, terminal device 102 may access hub 103 directly through the main gateway. In the embodiment including a plurality of gateways, the PORTAL authentication method provided by the invention can be applied to the main gateway in the embodiment, and the PORTAL authentication method provided by the invention can also be applied to the sub-gateway.
The terminal device 102 refers to a hardware device that can interact with a server or a cloud platform, and includes, for example, a mobile phone, a tablet, a notebook computer, a local server, a smart television, a smart refrigerator, a smart speaker, and the like, which are not limited herein. The hub 103 refers to a server, a cloud platform, or a computing center, etc. capable of providing network resources to the terminal device 102, and in general, the hub 103 receives an access request of the terminal device 102 and opens various network resources to the terminal device 102.
The terminal device 102 belongs to a user side, when the network center 103 is accessed, an access request firstly reaches the FTTR gateway, the FTTR gateway transmits the access request to the network center 103, and feedback information is fed back to the terminal device 102 through the FTTR gateway.
In some application scenarios, more terminal devices 102 want to access the network center 103 at the same time, if the same network resources are opened to the terminal devices 102 at the same time, channel congestion is likely to be caused, so that important tasks cannot be processed in time.
Fig. 2 is a flowchart of a port authentication method applied to FTTR gateways according to an embodiment of the present application. As shown in fig. 2, the method includes:
S201, receiving an access request from the terminal equipment, wherein the access request comprises a source IP address of the terminal equipment.
The access request is transmitted in the form of a data packet, and generally includes a destination address of the request, a request mode, header information and content of the body of the request, and a source IP address, where the destination address refers to an address of a server or a website (network center) to be accessed, typically an IP address or a domain name, the request mode refers to a protocol adopted by the terminal device to send the request, such as HTTP, HTTPs, the header information includes some meta information about the request, such as a source of the request, a content type of the request, etc., the content of the body of the request refers to some data that the terminal device needs to send to the server, and the source IP address refers to which device the access request originates from, and these data are typically included in the request body.
S202, according to the source IP address, the MAC address of the terminal equipment is obtained.
Each terminal device will have a unique MAC address for identifying the identity of the device. The terminal device sends out an access request, the FTTR gateway receives the access request and performs the following steps according to the MAC address of the access request.
S203, matching corresponding access rights from preset first corresponding relations according to the MAC address, wherein the first corresponding relations comprise the corresponding relations of the MAC address and the access rights.
Access rights include, but are not limited to, usage rights for various types of network resources, such as access control, internet behavior management, internet time, and the like. The first correspondence is preset, may be preset according to a user requirement, or may be preset according to a history of experience, and in some embodiments, the first correspondence may be adjusted and changed by an operator or a user through a preset data interface.
In the first correspondence, different MAC addresses may correspond to different access rights, for example, in an application scenario of an office building, network resources required by different departments may be different, that is, terminal devices may be divided according to the departments, for example, terminal devices in a first department may use database resources in a range of 9:00 to 12:00, and terminal devices in a second department may not use the database resources in the period.
Optionally, the access rights include at least one of DNS usage rights, traffic access rights, internet surfing behavior rights, and internet surfing time rights. Different DNS use authorities, flow access authorities, internet surfing behavior authorities and internet surfing time authorities are set for different MAC addresses, so that each terminal device can use network resources in a peak-shifting mode, and the conditions of centralized use and unreasonable allocation of the network resources are effectively avoided.
It should be noted that different MAC addresses may also correspond to the same access rights. Fig. 3 is a schematic diagram of a first correspondence relationship and a second correspondence relationship provided in an embodiment of the present application, as shown in fig. 3, MAC addresses are divided into different groups, and each group may include a different number of MAC addresses. In the first correspondence 301, MAC addresses divided into the same group correspond to the same access right, for example, MAC address 1, MAC address 2, and MAC address 3 each correspond to access right one, MAC address 4, MAC address 5, and MAC address 6 each correspond to access right two, MAC address 7, MAC address 8, and the like each correspond to access right three, and so on.
S204, matching a corresponding authentication mode from a preset second corresponding relation according to the access right, wherein the second corresponding relation comprises the corresponding relation between the access right and the authentication mode.
The mode of the authentication mode refers to a mode adopted when the terminal equipment performs network authentication, and optionally, the mode of the authentication mode comprises a verification code verification mode or a password verification mode. The verification mode of the verification code is that the gateway sends a specified verification code to the terminal equipment, a user inputs the verification code to the terminal equipment and feeds the verification code back to the gateway, and the gateway gives permission to the terminal equipment passing verification through consistency of the verification code. The logic of the password verification mode is similar, but the mode can be used for obtaining different access rights by inputting different passwords without sending verification codes to the terminal equipment by a gateway, for example, the passwords are informed to users corresponding to different MAC addresses in advance.
The different authentication modes refer to corresponding different verification codes or passwords in the same verification mode, for example, as shown in fig. 3, in the second correspondence 302, the first access right corresponds to the authentication password (i.e. verification code or password) a, the second access right corresponds to the authentication password B, and the third access right corresponds to the authentication password C.
It should be understood that the PORTAL authentication method provided by the embodiment of the present application is not limited to the two modes, but may be an identity information verification mode, digital certificate authentication or other multi-factor authentication, which is not limited. In some embodiments, the mode of authentication mode is user selectable, for example by providing the user with options via a display interface of the terminal device.
And S205, sending an authentication request to the terminal equipment in an authentication mode so that the terminal equipment generates authentication feedback based on the authentication request.
In the above step, an authentication mode corresponding to the MAC address is determined, and an authentication request is sent to the terminal device according to the authentication mode. The authentication request is used for presenting an authentication window to the user at the display position of the terminal equipment, and the user inputs a corresponding authentication password at the authentication window, and feedback information input by the user and fed back to the FTTR gateway is authentication feedback.
S206, responding to the authentication feedback of the terminal equipment, and opening the access right corresponding to the MAC address to the terminal equipment.
The FTTR gateway confirms whether the authentication passwords contained in the authentication feedback are consistent or not, if so, the authentication is passed, the corresponding access authority is opened, and if not, the authentication is not passed, and a notification message of authentication failure can be fed back to the terminal equipment.
The embodiment of the application comprises the steps of receiving an access request from terminal equipment, wherein the access request comprises a source IP address of the terminal equipment, acquiring an MAC address of the terminal equipment according to the source IP address, matching corresponding access rights from a preset first corresponding relation according to the MAC address, wherein the first corresponding relation comprises a corresponding relation between the MAC address and the access rights, matching a corresponding authentication mode from a preset second corresponding relation according to the access rights, wherein the second corresponding relation comprises a corresponding relation between the access rights and the authentication mode, sending the authentication request to the terminal equipment in the authentication mode so as to enable the terminal equipment to generate authentication feedback based on the authentication request, and responding the authentication feedback of the terminal equipment to open the access rights corresponding to the MAC address to the terminal equipment. According to the MAC address, a differentiated access authority management mechanism is established, different network use resources can be automatically opened for different terminal devices, the intelligent degree of the access authority differentiated management is further improved through presetting verification modes of different access authorities, the utilization rate of network resources is effectively improved, and the network security level is improved.
On the basis of the embodiment, optionally, according to the MAC address, matching the corresponding access right from the preset first corresponding relation, and before, determining whether the MAC address is recorded in the first corresponding relation, if so, taking the MAC address as the MAC address corresponding to the access request, if not, searching the direct-connected equipment of the terminal equipment from the network topology graph, and taking the MAC address of the direct-connected equipment as the MAC address corresponding to the access request. The embodiment of the application adds the step of determining whether the MAC address exists in the first correspondence, in some embodiments, the preset first correspondence may be incomplete, for example, the MAC address of the stranger visitor is likely not to be added to the first correspondence at the time of the preset. In this case, the direct-connected device of the terminal device is found from the network topology according to the MAC address, and the access right and the authentication mode are determined according to the MAC address of the direct-connected device, so that compatibility with different terminal devices is improved.
Optionally, receiving an access request from the terminal device includes receiving an access request forwarded by the sub-gateway, assigning a management IP address to the sub-gateway, establishing an interaction channel with the sub-gateway through the management IP address, receiving a port configuration request from the sub-gateway, and sending configuration feedback to the sub-gateway in response to the port configuration request, so that the sub-gateway adds the target port to the port service bridge according to the configuration feedback, and removes the non-target port from the port service bridge.
The embodiment of the application is suitable for an application scene comprising a main gateway and a sub-gateway, and aims to synchronize the PORTAL authentication function from the FTTR main gateway to the sub-gateway and disperse the PORTAL authentication work of the FTTR main gateway to the sub-gateway, thereby improving the data processing speed.
Fig. 4 is an interaction diagram of a main gateway and a sub-gateway of a PORTAL authentication method applied to FTTR gateways according to an embodiment of the present application, which shows data flows of interaction between the main gateway and the sub-gateway in the embodiment including FTTR, and a PORTAL is a PORTAL. As shown in fig. 4, includes:
FTTR the main gateway establishes a port corresponding to a two-layer portal service vlan interface. Establishing a two-layer vlan interface of a configured PORTAL service vlan on each network card (including a gateway), and adding the vlan interface into a bridge where the PORTAL service is located;
And establishing a secondary portal service vlan interface of the sub-gateway uplink Linkup. When the sub gateway is connected FTTR with the main gateway, a two-layer vlan interface of the configured PORTAL service vlan is established at an uplink port, and the vlan interface is added into the bridge where the PORTAL service is located;
The sub-gateway sends untag dhcp a request to the main gateway. Wherein the dhcp request option12 is pre-added with an encrypted special field, such as fttrsub, and the main gateway allocates an IP address (i.e. an IP address) according to the dhcp, i.e. the sub gateway obtains a management IP through the dhcp request of untag;
And the main gateway judges whether the sub-gateway is the sub-gateway or not through the option12 field, and if so, the main gateway adds a sub-gateway management list. Judging whether the access of the main gateway is legal sub-gateway or not according to the encrypted special field, if the access of the main gateway is legal, adding the access of the main gateway into a main sub-gateway communication list white list (storing the MAC address);
The sub gateway interacts with the main gateway through the management IP to request the portal service vlan, the main gateway returns the portal service vlan, and the sub gateway judges whether the portal service vlan is established before and the corresponding vlan is not established correctly;
the sub-gateway actively acquires the portal service port information from the main gateway, the main gateway returns the portal service port information, the sub-gateway judges whether the current portal service port information is consistent with the return, and the portal service port is adjusted if the current portal service port information is inconsistent with the return. That is, if the configuration is consistent with the current configuration, the processing is not performed, if the configuration is inconsistent, the port to be started is added into the portal service bridge, the port to be started is removed from the portal service bridge, and the common service bridge (or the bound bridge) is added.
Optionally, the main gateway can look over and set up in a list (on-line or off-line), then the main gateway can transmit the setting information to the sub-gateway through the interactive interface when the sub-device is on-line, and the sub-gateway returns a configuration result after completing configuration.
In some embodiments, the first correspondence and the second correspondence may be pre-stored in a location accessible to the FTTR gateway through a list, such as a black-and-white list. In some implementations, the DNS usage rights may be hijacked by returning the local address when the terminal device is accessed at an interface requiring authentication and not on an authentication whitelist or not authenticated. The traffic access authority can be controlled by prohibiting outward forwarding when the terminal device accesses and the traffic destination address of the access device is not on the white list or the unauthorized device is not on the white list, converting destination address and port of tcp80 and 443 ports of which the traffic is not on the white list, and converting the destination address and port to the address and port monitored by the port module.
After the verification of the terminal equipment is passed, the terminal equipment can also return prompt information of successful authentication to the terminal equipment, and when the verification is not passed, the prompt information of failed authentication is returned.
In other embodiments, the first correspondence and the second correspondence may be preset according to a requirement of a user on network security, for example, a temporary trust list may be added, and terminal devices in the temporary trust list may obtain all or part of specified network access rights without performing the above-mentioned PORTAL authentication, and so on.
According to the embodiment of the application, the correspondence relation among the MAC address, the access authority and the authentication mode is preset, the differentiated terminal equipment access authority management mechanism is established, multiple authentication modes are provided for the user, more choices are provided for the user, the group division is performed on the access users through different authentication modes and verification passwords, the authority division, the behavior management and the like are convenient, and meanwhile the security level of the access equipment is improved.
Fig. 5 is a second flowchart of a port authentication method applied to FTTR gateway according to an embodiment of the present application, which shows another specific implementation manner, where terminal devices are grouped, and access permission rules are established after access. As shown in fig. 4, the FTTR gateway implements a PORTAL authentication function by using a PORTAL module, after the PORTAL module is started and initialized, the device (i.e. the terminal device) receives non-whitelist tcp80 and 443 port requests, redirects the request to the PORTAL module to monitor an address and a port, and the user authenticates according to a preset mode, wherein the PORTAL module performs password authentication in a password mode (i.e. the password authentication mode), if the password authentication is passed, the PORTAL module joins the device into a corresponding group, establishes a corresponding rule (i.e. a corresponding relation between an MAC address, an access right and an authentication mode), releases the device, returns an authentication success page, if the password authentication is not passed, returns a user authentication page, and in a short message mode (i.e. the authentication code authentication mode), the PORTAL module forwards MAC (i.e. the MAC address) and a mobile phone number to a short message platform, the user receives a short message and inputs an authentication code to submit the authentication code, and the PORTAL module submits the authentication code to the short message platform to authenticate, if the password authentication is passed, and returns an authentication success page if the password authentication page is not passed, the authentication page is returned.
The foregoing embodiments describe the port authentication method applied to the FTTR gateway in detail, and the port authentication device, the electronic device, the storage medium and the program product applied to the FTTR gateway provided in the embodiment of the application will be specifically explained.
Fig. 6 is a flowchart of a PORTAL authentication device applied to FTTR gateways according to an embodiment of the present application. As shown in fig. 6, the PORTAL authentication device 600 includes:
a receiving module 601, configured to receive an access request from a terminal device, where the access request includes a source IP address of the terminal device;
an obtaining module 602, configured to obtain, according to the source IP address, a MAC address of the terminal device;
The first matching module 603 is configured to match corresponding access rights from preset first corresponding relationships according to the MAC address, where the first corresponding relationships include a corresponding relationship between the MAC address and the access rights;
the second matching module 604 is configured to match a corresponding authentication mode from a preset second correspondence according to the access right, where the second correspondence includes a correspondence between the access right and the authentication mode;
a sending module 605, configured to send an authentication request to the terminal device in an authentication manner, so that the terminal device generates authentication feedback based on the authentication request;
and the permission opening module 606 is configured to open, to the terminal device, an access permission corresponding to the MAC address in response to authentication feedback of the terminal device.
Optionally, the PORTAL authentication device 600 further includes a determining module, where the determining module is configured to determine whether the MAC address is recorded in the first correspondence, if so, take the MAC address as the MAC address corresponding to the access request, if not, search the network topology map for the direct-connected device of the terminal device, and take the MAC address of the direct-connected device as the MAC address corresponding to the access request.
Optionally, the access rights include at least one of DNS usage rights, traffic access rights, internet surfing behavior rights, and internet surfing time rights.
Optionally, the mode of authentication mode includes a verification code verification mode or a password verification mode.
Optionally, the receiving module 601 may be configured to receive an access request forwarded by the sub-gateway, allocate a management IP address to the sub-gateway, establish an interaction channel with the sub-gateway through the management IP address, receive a port configuration request from the sub-gateway, and send configuration feedback to the sub-gateway in response to the port configuration request, so that the sub-gateway adds the target port to the port service bridge according to the configuration feedback, and removes the non-target port from the port service bridge.
The device provided by the embodiment of the application can be used for executing the PORTAL authentication method applied to the FTTR gateway, and the implementation mode and the technical effect are similar, and are not repeated here.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 700 includes:
a processor 701, a memory 702, a communication interface 703 and a system bus 704.
The memory 702 and the communication interface 703 are connected to the processor 701 through the system bus 704 and complete communication with each other, the memory 702 is used for storing computer execution instructions, the communication interface 703 is used for communicating with other devices, and the processor 701 is used for executing the computer execution instructions to execute the scheme of the port authentication method applied to the FTTR gateway in the method embodiment.
Specifically, the processor 701 may include one or more Processing units, for example, the processor 701 may be a CPU, or may be a digital signal processor (DIGITAL SIGNAL Processing DSP), an Application SPECIFIC INTEGRATED Circuit (ASIC), or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
Memory 702 may be used to store program instructions. The memory 702 may include a stored program area and a stored data area. The storage program area may store an application program (such as a sound playing function, etc.) required for at least one function of the operating system, and the like. The storage data area may store data created during use of the electronic device 700 (e.g., audio data, etc.), and so on. In addition, the memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, universal flash memory (Universal Flash Storage, abbreviated UFS), and the like. The processor 701 performs various functional applications and data processing of the electronic device 700 by executing program instructions stored in the memory 702.
The communication interface 703 may provide a solution for wireless communication, including 2G/3G/4G/17G, as applied on the electronic device 700. The communication interface 703 may receive electromagnetic waves from an antenna, filter, amplify, and the like the received electromagnetic waves, and transmit the electromagnetic waves to a modem processor for demodulation. The communication interface 703 may also amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through an antenna to radiate. In some embodiments, at least some of the functional modules of the communication interface 703 may be provided in the processor 701. In some embodiments, at least some of the functional modules of the communication interface 703 may be provided in the same device as at least some of the modules of the processor 701.
The system bus 704 may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The system bus 704 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
It should be noted that the number of the memory 702 and the processor 701 according to the embodiments of the present application is not limited to the number of the memory 702 and the processor 701, and may be one or more, and fig. 7 illustrates one example, and the memory 702 and the processor 701 may be wired or wirelessly connected by various manners, for example, by a bus connection. In practice, the electronic device 700 may be a computer or a mobile terminal in various forms. Such as laptop computers, desktop computers, workstations, servers, blade servers, mainframe computers, etc., and mobile terminals, such as personal digital assistants, cellular telephones, smart phones, wearable devices, and other similar computing devices.
The electronic device of the present embodiment may be used to execute the technical solution in the foregoing method embodiment, and its implementation principle and technical effects are similar, and are not described herein again.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer execution instructions, and the computer execution instructions are used for realizing the scheme of the PORTAL authentication method applied to the FTTR gateway in the method embodiment when being executed by a processor.
The embodiment of the application also provides a computer program product, which comprises a computer program, wherein when the computer program is executed, the scheme of the PORTAL authentication method applied to the FTTR gateway in the embodiment of the method is realized.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the application, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (6)

1.一种应用于FTTR网关的PORTAL认证方法,其特征在于,包括:1. A PORTAL authentication method applied to an FTTR gateway, characterized in that it includes: 接收来自终端设备的访问请求,所述访问请求中包括所述终端设备的源IP地址;Receiving an access request from a terminal device, wherein the access request includes a source IP address of the terminal device; 根据所述源IP地址,获取所述终端设备的MAC地址;Obtaining the MAC address of the terminal device according to the source IP address; 根据所述MAC地址,从预设的第一对应关系中匹配对应的访问权限,所述第一对应关系包括MAC地址与访问权限的对应关系;According to the MAC address, matching a corresponding access right from a preset first correspondence relationship, wherein the first correspondence relationship includes a correspondence relationship between the MAC address and the access right; 根据所述访问权限,从预设的第二对应关系中匹配对应的认证方式,所述第二对应关系包括访问权限与认证方式的对应关系;所述认证方式的模式包括验证码验证模式或密码验证模式;不同的认证方式是指同一验证模式下对应不同的验证码或密码;According to the access right, a corresponding authentication method is matched from a preset second correspondence, wherein the second correspondence includes a correspondence between the access right and the authentication method; the mode of the authentication method includes a verification code verification mode or a password verification mode; different authentication methods refer to different verification codes or passwords corresponding to the same verification mode; 以所述认证方式向所述终端设备发送认证请求,以使所述终端设备基于所述认证请求生成认证反馈;Sending an authentication request to the terminal device in the authentication mode, so that the terminal device generates authentication feedback based on the authentication request; 响应于所述终端设备的认证反馈,向所述终端设备开放对应于所述MAC地址的访问权限;In response to authentication feedback from the terminal device, opening access rights corresponding to the MAC address to the terminal device; 所述根据所述MAC地址,从预设的第一对应关系中匹配对应的访问权限,之前还包括:According to the MAC address, matching the corresponding access rights from a preset first correspondence relationship also includes: 确定所述MAC地址是否记录在所述第一对应关系中;Determine whether the MAC address is recorded in the first corresponding relationship; 若是,则将所述MAC地址作为所述访问请求对应的MAC地址;If yes, use the MAC address as the MAC address corresponding to the access request; 若否,则从网络拓扑图中查找所述终端设备的直连设备;If not, searching the network topology for the directly connected device of the terminal device; 将所述直连设备的MAC地址作为所述访问请求对应的MAC地址;Using the MAC address of the directly connected device as the MAC address corresponding to the access request; 所述接收来自终端设备的访问请求,包括:The receiving an access request from a terminal device comprises: 接收子网关转发的所述访问请求;receiving the access request forwarded by the sub-gateway; 向所述子网关分配管理IP地址;Allocating a management IP address to the sub-gateway; 通过所述管理IP地址,建立和子网关的交互通道,接收来自所述子网关的PORTAL业务端口配置请求;Establish an interactive channel with the sub-gateway through the management IP address, and receive a PORTAL service port configuration request from the sub-gateway; 响应于所述PORTAL业务端口配置请求,将配置反馈发送给所述子网关,以使所述子网关根据所述配置反馈将目标端口加入PORTAL业务网桥,将非目标端口从PORTAL业务网桥中移除。In response to the PORTAL service port configuration request, configuration feedback is sent to the sub-gateway, so that the sub-gateway adds the target port to the PORTAL service bridge and removes the non-target port from the PORTAL service bridge according to the configuration feedback. 2.如权利要求1所述的PORTAL认证方法,其特征在于,所述访问权限包括DNS使用权限、流量访问权限、上网行为权限和上网时间权限中的至少一个。2. The PORTAL authentication method according to claim 1, wherein the access rights include at least one of DNS usage rights, flow access rights, Internet behavior rights, and Internet time rights. 3.一种应用于FTTR网关的PORTAL认证装置,其特征在于,所述装置包括:3. A PORTAL authentication device applied to an FTTR gateway, characterized in that the device comprises: 接收模块,用于接收来自终端设备的访问请求,所述访问请求中包括所述终端设备的源IP地址;A receiving module, configured to receive an access request from a terminal device, wherein the access request includes a source IP address of the terminal device; 获取模块,用于根据所述源IP地址,获取所述终端设备的MAC地址;An acquisition module, used to acquire the MAC address of the terminal device according to the source IP address; 第一匹配模块,用于根据所述MAC地址,从预设的第一对应关系中匹配对应的访问权限,所述第一对应关系包括MAC地址与访问权限的对应关系;A first matching module, configured to match a corresponding access right from a preset first correspondence according to the MAC address, wherein the first correspondence includes a correspondence between the MAC address and the access right; 第二匹配模块,用于根据所述访问权限,从预设的第二对应关系中匹配对应的认证方式,所述第二对应关系包括访问权限与认证方式的对应关系;所述认证方式的模式包括验证码验证模式或密码验证模式;不同的认证方式是指同一验证模式下对应不同的验证码或密码;A second matching module is used to match a corresponding authentication method from a preset second correspondence according to the access right, wherein the second correspondence includes a correspondence between the access right and the authentication method; the mode of the authentication method includes a verification code verification mode or a password verification mode; different authentication methods refer to different verification codes or passwords corresponding to the same verification mode; 发送模块,用于以所述认证方式向所述终端设备发送认证请求,以使所述终端设备基于所述认证请求生成认证反馈;A sending module, configured to send an authentication request to the terminal device in the authentication mode, so that the terminal device generates an authentication feedback based on the authentication request; 权限开放模块,用于响应于所述终端设备的认证反馈,向所述终端设备开放对应于所述MAC地址的访问权限;A permission opening module, configured to open access rights corresponding to the MAC address to the terminal device in response to authentication feedback from the terminal device; 确定模块,用于:在根据所述MAC地址,从预设的第一对应关系中匹配对应的访问权限之前,确定所述MAC地址是否记录在所述第一对应关系中;若是,则将所述MAC地址作为所述访问请求对应的MAC地址;若否,则从网络拓扑图中查找所述终端设备的直连设备;将所述直连设备的MAC地址作为所述访问请求对应的MAC地址;A determination module, configured to: determine whether the MAC address is recorded in a preset first correspondence before matching the corresponding access authority from the first correspondence according to the MAC address; if so, use the MAC address as the MAC address corresponding to the access request; if not, search for a directly connected device of the terminal device from a network topology diagram; use the MAC address of the directly connected device as the MAC address corresponding to the access request; 所述接收来自终端设备的访问请求,包括:The receiving an access request from a terminal device comprises: 接收子网关转发的所述访问请求;receiving the access request forwarded by the sub-gateway; 向所述子网关分配管理IP地址;Allocating a management IP address to the sub-gateway; 通过所述管理IP地址,建立和子网关的交互通道,接收来自所述子网关的PORTAL业务端口配置请求;Establish an interactive channel with the sub-gateway through the management IP address, and receive a PORTAL service port configuration request from the sub-gateway; 响应于所述PORTAL业务端口配置请求,将配置反馈发送给所述子网关,以使所述子网关根据所述配置反馈将目标端口加入PORTAL业务网桥,将非目标端口从PORTAL业务网桥中移除。In response to the PORTAL service port configuration request, configuration feedback is sent to the sub-gateway, so that the sub-gateway adds the target port to the PORTAL service bridge and removes the non-target port from the PORTAL service bridge according to the configuration feedback. 4.一种电子设备,其特征在于,包括:存储器,处理器;4. An electronic device, comprising: a memory and a processor; 所述存储器,用于存储程序指令;The memory is used to store program instructions; 所述处理器,用于调用所述程序指令,以执行如权利要求1或2所述的PORTAL认证方法。The processor is used to call the program instructions to execute the PORTAL authentication method as described in claim 1 or 2. 5.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现如权利要求1或2所述的PORTAL认证方法。5. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are executed by a processor, they are used to implement the PORTAL authentication method as described in claim 1 or 2. 6.一种计算机程序产品,其特征在于,包括计算机程序;6. A computer program product, characterized in that it comprises a computer program; 所述计算机程序被执行时,实现如权利要求1或2所述的PORTAL认证方法。When the computer program is executed, the PORTAL authentication method as claimed in claim 1 or 2 is implemented.
CN202411163208.5A 2024-08-23 2024-08-23 PORTAL authentication method, device and storage medium applied to FTTR gateway Active CN118694608B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411163208.5A CN118694608B (en) 2024-08-23 2024-08-23 PORTAL authentication method, device and storage medium applied to FTTR gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411163208.5A CN118694608B (en) 2024-08-23 2024-08-23 PORTAL authentication method, device and storage medium applied to FTTR gateway

Publications (2)

Publication Number Publication Date
CN118694608A CN118694608A (en) 2024-09-24
CN118694608B true CN118694608B (en) 2025-04-15

Family

ID=92774925

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411163208.5A Active CN118694608B (en) 2024-08-23 2024-08-23 PORTAL authentication method, device and storage medium applied to FTTR gateway

Country Status (1)

Country Link
CN (1) CN118694608B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104254073A (en) * 2014-09-03 2014-12-31 深信服网络科技(深圳)有限公司 Method and device for authentication of access terminal
CN106060072A (en) * 2016-06-30 2016-10-26 杭州华三通信技术有限公司 Authentication method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103354550A (en) * 2013-07-03 2013-10-16 杭州华三通信技术有限公司 Authorization control method and device based on terminal information
CN106059802B (en) * 2016-05-25 2020-11-27 新华三技术有限公司 Terminal access authentication method and device
EP4192063A4 (en) * 2020-08-20 2024-03-27 Huawei Technologies Co., Ltd. Access management method, authentication point, and authentication server
CN114944927B (en) * 2022-03-17 2023-08-08 国网浙江省电力有限公司杭州供电公司 Clientless Mutual Exclusive Access Platform Based on Portal Authentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104254073A (en) * 2014-09-03 2014-12-31 深信服网络科技(深圳)有限公司 Method and device for authentication of access terminal
CN106060072A (en) * 2016-06-30 2016-10-26 杭州华三通信技术有限公司 Authentication method and device

Also Published As

Publication number Publication date
CN118694608A (en) 2024-09-24

Similar Documents

Publication Publication Date Title
RU2707717C2 (en) Mobile authentication in mobile virtual network
US9294467B2 (en) System and method to associate a private user identity with a public user identity
CN104767715B (en) Access control method and equipment
US8978100B2 (en) Policy-based authentication
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US20160036778A1 (en) Applying a packet routing policy to an application session
CN106790251B (en) User access method and user access system
US11888851B2 (en) Identity proxy and access gateway
US11166147B2 (en) Roaming among different types of networks
CN103179104B (en) A kind of access method of remote service, system and equipment thereof
CN116723172A (en) Domain name access control method and device, computer storage medium and electronic equipment
CN106453349A (en) An account number login method and apparatus
US20120106399A1 (en) Identity management system
CN114615329A (en) Method and system for realizing SDP architecture without client
CN106888454A (en) WiFi network connection method and device
CN118694608B (en) PORTAL authentication method, device and storage medium applied to FTTR gateway
JP4965499B2 (en) Authentication system, authentication device, communication setting device, and authentication method
KR20140116422A (en) Integrating server applications with multiple authentication providers
CN116896456A (en) Communication method and device
CN116566764A (en) A configuration method and device for accessing a virtual private network
US20220278960A1 (en) Systems and methods for dynamic access control for devices over communications networks
JP4878043B2 (en) Access control system, connection control device, and connection control method
CN113691545B (en) Routing control method and device, electronic equipment and computer readable medium
JP2006270431A (en) Call control apparatus, terminal, program thereof, and communication channel establishment method
EP4513926A1 (en) Systems and methods for end user authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant